Systems and methods for configuring a network function proxy for secure communication

ABSTRACT

A device may determine that a network function of a network is to use a secure communication protocol. The network function may be configured to facilitate communication via the network. The device may identify a component of a resource configuration that is to instantiate the network function. The device may instantiate, using the component, a proxy for the network function. The device may configure the proxy to obtain a certificate that is associated with the secure communication protocol. The device may cause the proxy to use the certificate to communicate with another proxy that is associated with the network function to perform an operation associated with the network function.

BACKGROUND

A public key infrastructure (PKI) is a set of hardware, software,policies, and procedures that provides a framework of encryption anddata communication standards used to secure communications over anetwork.

BRIEF DESCRIPTION OF THE DRAWINGS

FIGS. 1A-1L are diagrams of one or more example implementationsdescribed herein.

FIG. 2 is a diagram of an example implementation described herein.

FIG. 3 is a diagram of an example environment in which systems and/ormethods described herein may be implemented.

FIG. 4 is a diagram of example components of one or more devices of FIG.3.

FIG. 5 is a flow chart of an example process relating to configuring anetwork function proxy for secure communication.

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS

The following detailed description of example implementations refers tothe accompanying drawings. The same reference numbers in differentdrawings may identify the same or similar elements.

A network may include an entity (e.g., a device, an application, avirtual machine, a container, and/or the like) configured to perform afunction and/or a service associated with the network. For example, anentity may be configured to perform a network function, such as aswitching function, a routing function, a load balancing function, afirewall function, a gateway function, an intrusion detection function,and/or the like.

To provide security to ensure the integrity of data transmitted throughthe network, an entity may establish a trust relationship with anotherentity and data transmitted between the entities may be encrypted. Thetrust relationship may refer to a process that enables an entity toverify, with a certain degree of confidence, that data purporting tocome from another entity (e.g., data including a source addressassociated with the other entity) was transmitted to the entity by theother entity. Encrypting the data transmitted between the entities mayprotect the data from being altered or changed prior to being receivedby a receiving one of the entities.

Commonly, an entity utilizes a public key infrastructure (PKI) toestablish a trust relationship with another entity and/or to encryptdata transmitted between the entities. A PKI is a security architecturethat enables the establishment of a trust relationship and/or the securetransfer of data in a network through a process that binds a public keywith an identity of an entity.

The binding of the public key with the identity of an entity may beestablished through a process of registration and issuance of acertificate at, and by, a public certificate authority (CA). The publicCA may act as a trusted third party that an entity may rely upon forverification of the identity of another entity.

For example, an entity implemented in a network may generate a privatekey and a public key for encrypting and decrypting data. The entity maygenerate a certificate signing request (CSR) for requesting acertificate from the public CA. The CSR may include informationidentifying the entity (e.g., information identifying a deviceassociated with the entity (e.g., a MAC address, a serial number, and/orthe like), information identifying an Internet service provider (ISP)associated with the entity and/or the network (e.g., a name of the ISP,a physical address associated with the ISP, an email address associatedwith the ISP, and/or the like), and/or the like), the public key, and/orthe like.

The entity may transmit the CSR to a registration authority. Theregistration authority verifies and/or authenticates the identity of theentity based on the information included in the CSR and forwards the CSRto a public CA. The public CA provides the CSR to a certificate serverthat generates a certificate for the entity based on the public key. Thecertificate may include the public key and may be stored in a publicdatabase and/or transmitted to the entity.

The certificate, the public key, and/or the private key may enable theentity to establish a trust relationship with another entity. Forexample, data transmitted by the entity to the other entity may includea digital signature and/or the certificate. The entity may encrypt thedigital signature using the private key. The other entity may query thepublic CA that issued the certificate to determine that the certificateis valid. The other entity may use the public key of the entity todecrypt the digital signature. The other entity may determine that thedata was transmitted by the entity based on successfully decrypting thedigital signature.

The data transmitted by the entity may be encrypted based on the publickey associated with the other entity. For example, the entity mayrequest the public key associated with the other entity from the otherentity, obtain the public key associated with the other entity from thepublic database, and/or the like. The entity may utilize the public keyassociated with the other entity to encrypt the data. The other entityreceives the encrypted data and utilizes the private key associated withthe other entity to decrypt the data.

In various networks, a network function may be realized by a virtualmachine or a container implemented on a physical device (e.g., a virtualnetwork function). Utilizing virtual network functions may allow astructure of the network to be modified in response to current networkconditions. For example, a new virtual network function can be added tothe network to alleviate network congestion. However, the virtualnetwork function may be configured to communicate utilizing a limitedset of protocols. The set of protocols may not include a protocolutilized to communicate with a public CA thereby preventing the virtualnetwork function from obtaining a certificate. Thus, a virtual networkfunction may be configured to include a protocol for communicating withthe public CA thereby increasing an amount of computing resources (e.g.,processing resources, memory resources, communicating resources, and/orthe like) required to implement the virtual network function relative toa virtual network function that does not include the protocol forcommunicating with the public CA.

Additionally, when the new virtual network function is configured tocommunicate with a public CA, an amount of time required to complete theprocess for obtaining a certificate for the new virtual network functionmay impede a network operator from effectively modifying the network toaddress current network conditions.

Further, obtaining the certificate for the new virtual network functionfrom a public CA may create a security vulnerability associated with thenetwork. For example, a malicious actor may be able to falsely obtain acertificate by impersonating as a virtual network function associatedwith a particular entity more easily relative to impersonating a networkfunction implemented on a physical device (e.g., a physical networkfunction).

The publication or storing of a certificate issued for the new virtualfunction may also create a security vulnerability for the network. Forexample, the certificate may include information identifying the virtualnetwork function, information identifying a device on which the virtualnetwork function is implemented, information identifying an entityassociated with the network (e.g., an ISP), and/or the like. Thisinformation may be obtained and used by a malicious actor to determine atopology of the network and/or other information about the network thatthe malicious actor may use to attack the network. If the maliciousactor attacks the network, computing resources (e.g., processorresources, memory resources, communication resources, and/or the like)may be utilized to identify the attack on the network, investigatesuspicious activity associated with the attack, perform one or moreactions to mitigate damage caused by the attack, and/or the like.

Some implementations described herein may implement a private public keyinfrastructure (e.g., a private PKI) that enables an entity included ina network to establish a trust relationship and/or to communicateencrypted data with another entity included in the network. The privatePKI may be associated with a virtualization platform that includes anetwork function orchestrator. The network function orchestrator mayinstantiate a virtual network function (e.g., an entity) in the networkand may instantiate a distributed proxy associated with the virtualnetwork function.

The distributed proxy may generate a CSR for the virtual networkfunction and may transmit the CSR to a private CA associated with theprivate PKI. Because the distributed proxy requests and obtains thecertificate for the virtual network function, the virtual networkfunction can be configured to include a limited set of protocols (e.g.,a set of protocols that does not include a protocol used solely forcommunicating with a public CA). In this way, fewer computing resourcesmay be utilized to implement the virtual network function relative to acorresponding virtual network function that obtains a certificate from apublic CA.

The private CA may verify the identity of the virtual network functionbased on determining that the virtual network function has beeninstantiated in the network, receiving the CSR from the distributedproxy, and/or the like. In this way, the private CA may verify theidentity of the virtual network function more quickly and based on lessinformation relative to a public CA that verifies the identity of anentity based on information included in the CSR, such as informationidentifying the entity, information identifying an entity associatedwith the network (e.g., an ISP), and/or the like.

Further, by verifying the identity of the virtual network function basedon determining that the virtual network function has been instantiatedin the network, receiving the CSR from the distributed proxy, and/or thelike, the private PKI may prevent a malicious actor from falselyobtaining a certificate by impersonating an identity of the virtualnetwork function.

The private CA may store the certificate in a secure memory and mayprovide the certificate to the distributed proxy. Storing thecertificate in a secure memory, rather than a public database associatedwith a public CA, may prevent a malicious actor from obtaininginformation identifying the virtual network function, informationidentifying a device on which the virtual network function isimplemented, information identifying an entity associated with thenetwork (e.g., an ISP), and/or the like that may be included in acertificate stored in a public database. In this way, the private CA mayprevent the creation of a security risk associated with a maliciousactor determining a topology of the network and/or other informationabout the network that the malicious actor may use to attack the networkbased on the information stored in the public database. By preventingthe creation of the security risk, computing resources, that otherwisemay have been utilized to identify the attack on the network,investigate suspicious activity associated with the attack, perform oneor more actions to mitigate damage caused by the attack, and/or thelike, may be conserved.

FIGS. 1A-1L are diagrams of an example implementation 100 describedherein. As shown in FIGS. 1A-1L, a network function orchestrator 101 isassociated with a core network infrastructure. The network functionorchestrator 101 may manage network resources to ensure that computingresources, storage resources, and/or the like are available to provide anetwork service. As shown in FIG. 1A, the network function orchestrator101 may include a network function manager 102 and a certificate manager103.

The network function manager 102 may manage a lifecycle of networkfunctions included in the core network infrastructure. For example, thenetwork function manager 102 may instantiate a network function, mayscale network functions included in the core network infrastructure, mayupdate a network function, may upgrade a network function, may terminatea network function, and/or the like.

The certificate manager 103 may manage a lifecycle of certificatesobtained from a certificate authority (CA) 104 for network functionsand/or components of network functions included in the core networkinfrastructure. For example, the certificate manager 103 may obtain acertificate for a component of a newly instantiated network function,may validate a certificate based on a request from another component ofthe network function, may determine that a certificate is expired, mayrenew a certificate, may terminate a certificate, and/or the like.

In some implementations, the CA 104 may be co-located with thecertificate manager 103. For example, the CA 104 may be a component ofthe network function orchestrator 101.

In some implementations, the certificate manager 103 may include the CA104. For example, the core network infrastructure may comprise acontainerized core network infrastructure that includes containerizednetwork functions, such as a Kubernetes. The certificate manager 103 maycomprise a citadel configured to perform the functions of thecertificate manager 103 and the CA 104, as described herein.

Alternatively, and/or additionally, the certificate manager 103 may be adistributed signing authority that is issued a certificate by a CA andis authorized to issue certificates to network functions included in thecore network infrastructure.

In some implementations, the network function manager 102 instantiates anetwork function to facilitate communication via the network. Forexample, the network may be a service provider network. A user equipment(UE) 105 may be associated with a customer of the service provider. TheUE 105 may access the service provider network via a radio accessnetwork to access a service provided by the service provider and/orsubscribed to by the customer.

The network function manager 102 may determine that a quantity ofcommunication sessions associated with the network satisfies a thresholdquantity of communication sessions. The network function manager 102 maydetermine to add additional resources to the network based on thequantity of communication sessions satisfying the threshold quantity ofcommunication sessions. As shown in FIG. 1A, and by reference number110, the network function manager 102 determines that a network function(e.g., NF-1, as shown in FIG. 1A) is to be instantiated for acommunication session with the UE 105.

In some implementations, the network function NF-1 is a virtual networkfunction. For example, the network function manager 102 may identify aphysical device for hosting the virtual network function. The networkfunction manager 102 may cause physical resources of the physical deviceto be allocated to the virtual network function. The network functionmanager 102 may deploy or instantiate the virtual network function basedon allocating the physical resources.

In some implementations, the core network infrastructure is acontainerized core network infrastructure and the network function NF-1is a containerized network function. For example, the core networkinfrastructure may be a Kubernetes that groups containers associatedwith an application into a logical unit.

In some implementations, the network function includes a plurality ofcomponents. For example, the network function may include a set of oneor more discrete components, pods, logical units, and/or the like thatinteroperate to perform one or more tasks of the network function. Thenetwork function manager 102 may determine a set of resources of thenetwork (e.g., a set of hardware resources of a physical device includedin the network) on which the components are to be instantiated. Thenetwork function manager 102 may instantiate the components to deploythe network function NF-1.

As shown in FIG. 1B, and by reference number 120, the network functionmanager 102 instantiates a distributed proxy associated with the networkfunction NF-1. For example, the network function manager 102 maydetermine that the network function NF-1 is to utilize the private PKIfor communications between components of the network function NF-1, forcommunications between the network function NF-1 and another networkfunction, and/or the like. The network function manager 102 mayinstantiate the distributed proxy to enable the network function NF-1 toutilize the private PKI for the communications.

In some implementations, the distributed proxy may include a pluralityof proxies. For example, the core network infrastructure may comprise acontainerized core network infrastructure. The network function NF-1 maybe comprised of a group of pods corresponding to components of thenetwork function NF-1. A pod may correspond to a single instance of anapplication associated with the network function NF-1. The pod mayencapsulate one or more containers that package code for the applicationalong with the dependencies the application utilizes at run time and/orstorage resources shared by the one or more containers. The group ofpods may interoperate to provide a network function (e.g., a routingfunction, a switch function, and/or the like).

As shown in FIG. 1C, the network function NF-1 is comprised of eightpods (shown as C1-1 through C1-8). The network function manager mayinstantiate a distributed proxy that includes a respective proxyassociated with each pod of the network function NF-1 (e.g., eightproxies (shown as P1-1 through P1-8)). The proxies may enable the podsto communicate with other pods of the network function NF-1 and/oranother network function (e.g., another pod included in another networkfunction).

For example, a proxy P1-1 may receive data from pod C1-1. The proxy P1-1may determine that the data is to be transmitted to pod C1-8. The proxyP1-1 may transmit the data to pod C1-8 via proxy P1-8 based on aconfiguration of the proxy P1-1 and/or a set of network rules associatedwith proxy P1-1. For example, the set of network rules may cause theproxy P1-1 to utilize a certificate issued by CA 104 to transmit thedata to proxy P1-8, as described below. Proxy P1-8 may receive the dataand may provide the data to pod C1-8.

In some implementations, the plurality of proxies may include a masterproxy. For example, as shown in FIG. 1D, the distributed proxy mayinclude a respective proxy associated with each pod of the networkfunction NF-1, as described above with respect to FIG. 1C. Thedistributed proxy may include a master proxy (shown as MP1 in FIG. 1D).The master proxy may enable the respective proxies associated with eachpod to communicate with other proxies of the network function NF-1and/or another network function (e.g., another proxy included in anothernetwork function).

For example, a proxy P1-1 may receive data from pod C1-1. The proxy P1-1may determine that the data is to be transmitted to pod C1-2. The proxyP1-1 may transmit the data to the master proxy MP1 based on aconfiguration of the proxy P1-1 and/or a set of network rules associatedwith proxy P1-1. The master proxy MP1 may receive the data and maydetermine that the data is to be transmitted to pod C1-2. The masterproxy MP1 may transmit the data to pod C1-2 via proxy P1-2 based on aconfiguration of the proxy MP1 and/or a set of network rules associatedwith the master proxy MP1. For example, the set of network rules maycause the master proxy MP1 to utilize a certificate issued by CA 104 totransmit the data to proxy P1-2, as described below. Proxy P1-2 mayreceive the data and may provide the data to pod C1-2.

In some implementations, the master proxy MP1 is a signing agent that isauthorized to issue certificates to the plurality of proxies. Forexample, the certificate manager 103 may designate the master proxy as asigning agent. The master proxy MP1 may obtain a certificate from thecertificate manager 103 and/or the CA 104, in a manner similar to thatdescribed below with respect to FIG. 1G. The master proxy MP1 mayreceive requests for certificates and/or issue certificates to theplurality of proxies based on the certificate obtained from thecertificate manager 103 and/or the CA 104. In some implementations, themaster proxy issues certificates in a manner similar to that describedbelow with respect to FIG. 1G.

In some implementations, the distributed proxy includes a single proxy.For example, as shown in FIG. 1E, the distributed proxy includes a proxyP1 associated with the plurality of components (e.g., pods) of thenetwork function NF-1. The proxy P1 may enable a pod of the networkfunction NF-1 to communicate with other pods of the network functionNF-1 and/or another network function (e.g., another pod included inanother network function).

For example, the proxy P1 may receive data from pod C1-1. The proxy P1may determine that the data is to be transmitted to pod C1-2. The proxyP1-1 may transmit the data to the pod C1-2 based on a configuration ofthe proxy P1 and/or a set of network rules associated with proxy P1. Forexample, the set of network rules may cause the proxy P1 to utilize acertificate issued by CA 104 to transmit the data to pod C1-2, asdescribed below.

As shown in FIG. 1F, and by reference number 130, the certificatemanager 103 determines that the distributed proxy has been instantiated.In some implementations, the certificate manager 103 may determine thatthe distributed proxy has been instantiated based on informationprovided by the network function orchestrator 101. For example, thenetwork function manager 102 may provide a notification to thecertificate manager 103 based on instantiating the distributed proxy.The notification may include an identifier associated with the networkfunction NF-1, an identifier associated with the distributed proxy,information indicating a configuration of the distributed proxy (e.g.,information indicating that the distributed proxy includes a respectiveproxy associated with each component of the network function NF-1,information indicating that the distributed proxy includes a masterproxy and a respective proxy associated with each component of thenetwork function NF-1, and/or information indicating that thedistributed proxy includes a single proxy, and/or the like). Thenotification may also include an identifier associated with a componentof the network function NF-1, an identifier associated with the networkfunction NF-1, information indicating that the distributed proxy hasbeen instantiated, information identifying an IP address associated withthe distributed proxy, and/or information identifying an IP addressassociated with a component of the network function NF-1. Alternativelyand/or additionally, the notification may include informationidentifying an IP address associated with the network function NF-1,information identifying a host associated with the distributed proxy(e.g., a host name, an identifier, and/or another type of informationidentifying a physical device on which the distributed proxy, acomponent of the network function NF-1, and/or the network function NF-1has been instantiated or deployed), and/or the like.

Alternatively, and/or additionally, the certificate manager 103 maydetermine that the distributed proxy has been instantiated based oninformation provided by the distributed proxy. For example, thedistributed proxy may generate a request for a certificate. The requestmay include information identifying an IP address associated with thedistributed proxy, information identifying a host associated with thedistributed proxy, and/or the like.

In some implementations, the request includes a public key. For example,the distributed proxy may generate and/or obtain a key pair thatincludes a public key and a private key associated with the distributedproxy. The distributed proxy may include information identifying thepublic key in the request.

The distributed proxy may transmit the request to the certificatemanager 103. The certificate manager 103 may determine that thedistributed proxy has been instantiated based on receiving the request.

The certificate manager 103 may determine to obtain a certificate forthe distributed proxy based on the distributed proxy being instantiated.For example, the certificate manager 103 may determine an identifierassociated with a component of the network function NF-1 associated withthe distributed proxy based on the notification. The certificate manager103 may determine a type of the component of the network function NF-1,an operation to be performed by the component of the network functionNF-1, a communication protocol associated with the component of thenetwork function NF-1, and/or the like based on the identifier. Forexample, the certificate manager 103 may access a data structure (e.g.,a database, a list, and/or the like) stored in a memory associated withthe certificate manager 103. The data structure may store informationassociating identifiers with types of components of network functions,information associating types of components of network functions withoperations performed by the types of components of network functions,communication protocols associated with the types of components ofnetwork functions, application program interfaces associated with thetypes of components of network functions, and/or the like.

The certificate manager 103 may determine to obtain a certificate forthe distributed proxy based on the type of component of the networkfunction NF-1, the operation to be performed by the component of thenetwork function NF-1, the communication protocol associated with thecomponent of the network function NF-1, and/or the like. For example,the certificate manager 103 may determine that the component of thenetwork function NF-1 is to utilize a certificate to communicate withone or more other components of the network function NF-1 and/or one ormore components of other network functions included in the core networkinfrastructure based on the component of the network function NF-1 beinga particular type of component of the network function, based on thecomponent of the network function NF-1 being configured to perform aparticular operation, and/or the like.

Alternatively, and/or additionally, the certificate manager 103 maydetermine that a communication protocol associated with the component ofthe network function NF-1 is not a communication protocol forcommunicating with the CA 104. The certificate manager 103 may determineto obtain the certificate for the distributed proxy (e.g., rather thanfor the component of the network function NF-1) based on thecommunication protocol associated with the component of the networkfunction NF-1 not being a communication protocol for communicating withthe CA 104.

In some implementations, the certificate manager 103 may determine toobtain a certificate for the distributed proxy based on a set of networkrules for communicating within the network. For example, the networkfunction FN-1 may be a containerized network function that includes agroup of one or more pods for performing one or more tasks associatedwith the network function NF-1. The distributed proxy may implement aset of network rules for a group of pods. The set of network rules maycause a pod, of the group of pods, to communicate with another pod ofthe group of pods and/or with a pod included in another containerizednetwork function via the distributed proxy. The certificate manager 103may determine the set of network rules associated with the distributedproxy and may determine to obtain a certificate for the distributedproxy based on the set of network rules.

As shown in FIG. 1G, and by reference number 140, the certificatemanager 103 obtains a certificate for the distributed proxy. Forexample, the certificate manager 103 may generate and/or transmit arequest for a certificate to the CA 104 to obtain a certificate for thedistributed proxy. The request may include information identifying acomponent of the network function NF-1, information identifying thedistributed proxy, information identifying a proxy included in thedistributed proxy, a public key, information identifying the certificatemanager 103, information identifying an application program interfaceassociated with the distributed proxy, information identifying acommunication protocol associated with the distributed proxy, and/or thelike. The items listed above as being included in the request areintended as examples of items that may be included in the request. Inpractice, the request may include any single one of these items, anycombination of these items, and/or one or more other items not listedabove.

In some implementations, a public key generated by the distributed proxyis included in the request. In some implementations, a public keygenerated by the certificate manager 103 is included in the request. Forexample, the certificate manager 103 may generate a key pair thatincludes a private key and a public key based on determining that thedistributed proxy is instantiated, based on determining to obtain thecertificate for the distributed proxy, and/or the like.

In some implementations, the request does not include a public key. Forexample, the CA 104 may generate the public key and/or the private key,the distributed proxy may utilize another form of encryption to transmitdata, and/or the like.

In some implementations, the certificate manager 103 may generate and/ortransmit a single request for a certificate associated with the networkfunction NF-1. For example, the certificate manager 103 may generateand/or transmit the single request in situations where the distributedproxy includes a single proxy, as described above with respect to FIG.1E, or a master proxy, as described above with respect to FIG. 1D. Thecertificate manager 103 may generate and/or transmit a request for acertificate to CA 104 to obtain a single certificate (or multiplecertificates having a same certificate identifier) associated with thenetwork function NF-1 based on the distributed proxy including a singleproxy or a master proxy.

In some implementations, the certificate manager 103 may generate and/ortransmit a one or more requests to CA 104 to obtain multiplecertificates associated with the network function NF-1. For example, thecertificate manager 103 may generate and/or transmit the one or morerequests in situations where the distributed proxy includes a pluralityof proxies corresponding to components of the network function NF-1, asdescribed above with respect to FIG. 1C. The certificate manager 103 maygenerate and/or transmit one or more requests for certificates to the CA104 to obtain certificates for the plurality of proxies.

The CA 104 may receive the request(s) and may verify an identity of thenetwork function NF-1, a component of the network function NF-1, and/orthe distributed proxy. For example, the CA 104 may determine that thenetwork function NF-1, the component of the network function NF-1, thedistributed proxy, and/or the certificate manager 103 are included in anetwork associated with a service provider associated with the CA 104.In some implementations, the CA 104, the network function NF-1, thecomponent of the network function NF-1, the distributed proxy, and/orthe certificate manager 103 may be associated with a same host platform.The CA 104 may determine that the network function NF-1, the componentof the network function NF-1, the distributed proxy, and/or thecertificate manager 103 are included in the network associated with theservice provider based on the CA 104, the network function NF-1, thecomponent of the network function NF-1, the distributed proxy, and/orthe certificate manager 103 being associated with the same hostplatform.

The CA 104 may verify the identity of the network function NF-1, thecomponent of the network function NF-1, and/or the distributed proxybased on the network function NF-1, the component of the networkfunction NF-1, the distributed proxy, and/or the certificate manager 103being included in the network associated with the service provider. Inthis way, the CA 104 may quickly and efficiently verify the identity ofthe network function NF-1, the component of the network function NF-1,and/or the distributed proxy.

The CA 104 may generate one or more certificates associated with thenetwork function NF-1 based on verifying the identity of the networkfunction NF-1, the component of the network function NF-1, and/or thedistributed proxy. In some implementations, the CA 104 may generate asingle certificate associated with the network function. For example,the CA 104 may receive a request that includes information indicatingthat the distributed proxy includes a master proxy, that the distributedproxy includes a single proxy, that the distributed proxy is to utilizea single certificate, and/or the like. The CA 104 may generate a singlecertificate associated with the network function based on theinformation included in the request.

In some implementations, the CA 104 may generate a plurality ofcertificates associated with the network function NF-1. For example, theCA 104 may receive one or more requests that include informationindicating that the distributed proxy includes a plurality of proxiescorresponding to components of the network function NF-1, the CA 104 mayuse information in the one or more requests to obtain certificates forthe respective proxies from the certificate manager 103, and/or thelike. The CA 104 may generate the plurality of certificates associatedwith the network function NF-1 based on the information included in theone or more requests and/or based on receiving multiple requests forcertificates from the certificate manager 103.

In some implementations, the CA 104 generates a plurality of uniquecertificates (e.g., a plurality of certificates having differentcertificate IDs, including different public keys, and/or the like). Forexample, the CA 104 may receive a request that includes informationindicating that each respective proxy is to utilize a unique certificateto communicate with the network. The CA 104 may generate the pluralityof unique certificates based on the information included in the request.

In some implementations, the CA 104 may generate the certificate basedon an available key configuration and/or a certification protocolassociated with the CA 104. For example, the CA 104 may receive arequest that includes information identifying the distributed proxyassociated with the network function NF-1, information identifying arespective proxy of the distributed proxy, information identifying acommunication protocol associated with the network function NF-1,information identifying a type of network function associated with thenetwork function NF-1, and/or the like. The CA 104 may determine acertification protocol based on the information included in the request.The CA 104 may determine that the certification protocol is associatedwith a key (e.g., a private key, a public key, and/or the like) and/or aparticular key configuration. The CA 104 may identify, from a key datastructure stored in a memory associated with the CA 104, an availablekey configuration for the certificate based on the certificationprotocol being associated with the key and/or the particular keyconfiguration. The CA 104 may generate the certificate based on theavailable key configuration and based on the certification protocol.

The certificate may include information identifying the CA 104,information identifying the network function NF-1, informationidentifying the distributed proxy, information identifying a componentof the network function NF-1, information identifying a respective proxyof the distributed proxy, the public key, information identifying anapplication interface associated with the distributed proxy, informationidentifying a communication protocol associated with the CA 104 (e.g.,certificate management protocol, version 2 (CMPv2), simple certificateenrollment protocol (SCEP), enrollment over secure transport (EST),and/or the like), and/or the like. The items listed above as beingincluded in the certificate are intended as examples of items that maybe included in the certificate. In practice, the certificate may includeany single one of these items, any combination of these items, and/orone or more other items not listed above. The CA 104 may store thecertificate in a data structure stored in a memory of the CA 104 and/ormay transmit the certificate to the certificate manager 103.

The certificate manager 103 may receive the certificate from the CA 104and may store the certificate in a memory (e.g., secure storage)associated with the certificate manager 103. As shown in FIG. 1H, and byreference number 150, the certificate manager 103 generates acertificate profile for the distributed proxy. The certificate profilemay include the certificate, the private key (e.g., when the key pairincluding the private key and the public key is generated by thecertificate manager 103 and/or the CA 104), information identifying thecertification protocol associated with the CA 104, informationidentifying the certificate authority (e.g., CA 104), informationidentifying the application program interface associated with thedistributed proxy, information identifying the certificate manager 103,information identifying an IP address associated with the distributedproxy, and/or the like. The items listed above as being included in thecertificate profile are intended as examples of items that may beincluded in the certificate profile. In practice, the certificateprofile may include any single one of these items, any combination ofthese items, and/or one or more other items not listed above.

In some implementations, the certificate manager 103 may generate aplurality of certificate profiles associated with the distributed proxy.For example, the distributed proxy may include a plurality of proxies(e.g., a respective proxy for each of a plurality of components of thenetwork function NF-1). The certificate manager 103 may obtain acertificate for each proxy of the plurality of proxies. The certificatemanager 103 may generate a certificate profile for each proxy and maytransmit a certificate profile to a proxy, of the plurality of proxies,for which the certificate profile was generated.

As shown in FIG. 1I, and by reference number 160, the network functionorchestrator 101 provides the certificate profile to the distributedproxy. For example, the certificate manager 103 may transmit thecertificate profile to the distributed proxy to enable a component ofthe network function NF-1 to communicate in a secure manner (e.g., viaencrypted data, via a secure communication session, and/or the like)with other components of the network function NF-1 and/or with othernetwork functions included in the core network infrastructure.

As shown in FIG. 1J, and by reference number 170, the network functionNF-1 initiates communications for a UE session. In some implementations,the network function NF-1 initiates communications with another networkfunction (e.g., NF-2 as shown in FIG. 1J). For example, the networkfunction NF-1 may determine to establish a communication session withthe network function NF-2 to allow the UE 105 to access a serviceprovided by the network. The network function NF-1 may utilize thedistributed proxy to generate the request and/or to transmit the requestto the network function NF-2.

For example, as shown in FIG. 1K, the network function NF-1 may includea plurality of components (shown as C1-1 through C1-8). Each componentmay be associated with a respective proxy of the distributed proxy(shown as P1-1 through P1-8). A first component of the network functionNF-1 (shown as C1-1) may generate data associated with the request toestablish the communication session with the network function NF-2. Thecomponent C1-1 may transmit the data to proxy P1-1. The proxy P1-1 maydetermine that the data is to be transmitted to component C1-8. Theproxy P1-1 may transmit a notification to proxy P1-8 indicating that theproxy P1-1 is to transmit the data to component C1-8 via the proxy P1-8.The notification may include the certificate included in the certificateprofile, a digital signature associated with the proxy P1-1, and/or thelike.

The proxy P1-8 may receive the notification and may verify the identityof the proxy P1-1 (e.g., verify that the notification was transmitted bythe proxy P1-1) and/or authenticate the proxy P1-1 based on thecertificate. As shown in FIG. 1K, and by reference number 180, the proxyP1-8 verifies the identity of the proxy P1-1 to enable communicationwith the proxy P1-1. For example, the proxy P1-8 may transmit a requestfor the public key associated with the proxy P1-1 to the certificatemanager 104 or the CA 104. The request may include informationidentifying the certificate issued to the proxy P1-1, informationidentifying the proxy P1-1, and/or the like. For the description tofollow, assume that the proxy P1-8 transmits the request to the CA 104.

The CA 104 may receive the request and may determine whether thecertificate issued for the proxy P1-1 has been revoked based on acertificate revocation list (CRL) stored in a memory of the CA 104. TheCRL may store information identifying certificates that have beenrevoked. The CA 104 may determine that the CRL does not includeinformation identifying the certificate issued to the proxy P1-1. The CA104 may determine that the certificate is valid (e.g., active, notrevoked, and/or the like) based on the CRL not including informationidentifying the certificate. The CA 104 may obtain the public keyassociated with the proxy P1-1 and may transmit the public key and/orinformation indicating that the certificate is valid to the proxy P1-8based on the certificate being valid.

The proxy P1-8 may verify the identity of the proxy P1-1 based on thepublic key and/or the information indicating that the certificate isvalid. The proxy P1-1 may encrypt the digital signature included in therequest transmitted to the proxy P1-8 based on the private keyassociated with the proxy P1-1. The proxy P1-8 may decrypt the digitalsignature based on the public key associated with the proxy P1-1. Theproxy P1-8 may verify the identity of the proxy P1-1 based on decryptingthe digital signature based on the public key associated with the proxyP1-1.

In some implementations, the proxy P1-8 transmits a response to theproxy P1-1 based on verifying the identity of the proxy P1-1. Theresponse may include information indicating that the proxy P1-8 verifiedthe identity of the proxy P1-1 and/or a certificate issued to the proxyP1-8. The proxy P1-1 may receive the response and may verify theidentity of the proxy P1-8 based on the certificate included in theresponse. In some implementations, the proxy P1-1 verifies the identityof the proxy P1-8 in a manner similar to that described above withrespect to FIG. 1K.

The proxy P1-1 may encrypt the data utilizing the public key associatedwith the proxy P1-8 and may transmit the encrypted data to the proxyP1-8 based on verifying the identity of the proxy P1-8. The proxy P1-8may receive the encrypted data and may utilize the private keyassociated with the proxy P1-8 to decrypt the encrypted data. The proxyP1-8 may provide the decrypted data to the component C1-8. The componentC1-8 may utilize the decrypted data to establish the communicationsession with the network function NF-2.

For example, the component C1-8 may generate a request to establish thecommunication session with the network function NF-2 based on thedecrypted data. The component C1-8 may provide the request to the proxyP1-8. The proxy P1-8 may transmit the request and information associatedwith a certificate issued to the proxy P1-8 to the network function NF-2(e.g., a distributed proxy associated with the network function NF-2).The information associated with the certificate issued to the proxy P1-8may include the certificate, a digital signature associated with theproxy P1-8, and/or the like.

The network function NF-2 may receive the request and the informationassociated with the certificate issued to the proxy P1-8 and may verifythe identity of the proxy P1-8 (e.g., verify that the request wastransmitted by the proxy P1-8) and/or authenticate the proxy P1-8 basedon the certificate. In some implementations, the network function NF-2verifies the identity of the proxy P1-8 and/or authenticates the proxyP1-8 in a manner similar to that described above with respect to FIG.1K. The network function NF-2 verifies the identity of the proxy P1-8 toenable communication with the network function NF-1 for thecommunication session with the UE 105.

In some implementations, the network function NF-2 transmits a responseto the proxy P1-8 based on verifying the identity of the proxy P1-8. Theresponse may include information indicating that the network functionNF-2 verified the identity of the proxy P1-8 and/or a certificate issuedto the network function NF-2. The proxy P1-8 may receive the responseand may verify the identity of the network function NF-2 based on thecertificate included in the response. In some implementations, the proxyP1-8 verifies the identity of the network function NF-2 in a mannersimilar to that described above with respect to FIG. 1K.

The network function NF-1 may establish the communication session withthe UE 105 and/or the network function NF-2 to provide the service tothe UE 105 based on receiving the response and/or verifying the identityof the network function NF-2. As shown in FIG. 1L, and by referencenumber 190, the network function NF-1 is enabled for the communicationsession with the UE 105 based on establishing the communication sessionwith the network function NF-2.

By utilizing a private PKI to verify an identity of an entity in anetwork, a network architecture of the network can be quickly andefficiently modified to adapt to a current network condition (e.g., arequest from a UE to access a service provided by the network, networkcongestion, a failure of a network function, a failure of a host device,and/or the like). Further, because the certificates are not stored in apublic database, a risk of creating a security vulnerability associatedwith the network may be decreased, as discussed above.

Further, because the distributed proxy requests and obtains thecertificate for the network function and/or a component of the networkfunction, the network function and/or the component of the networkfunction can be configured to include a limited set of protocols (e.g.,a set of protocols that does not include a protocol used solely forcommunicating with a public CA). In this way, fewer computing resourcesmay be utilized to implement the network function relative to acorresponding network function that obtains a certificate from a publicCA.

As indicated above, FIGS. 1A-1L are provided as one or more examples.Other examples may differ from what is described with regard to FIGS.1A-1L. The number and arrangement of devices shown in FIGS. 1A-1L areprovided as an example. In practice, there may be additional devices,fewer devices, different devices, or differently arranged than thoseshown in FIGS. 1A-1L. Furthermore, two or more devices shown in FIGS.1A-1L may be implemented within a single device, or a single deviceshown in FIGS. 1A-1L may be implemented as multiple, distributeddevices. Additionally, or alternatively, a set of devices (e.g., one ormore devices) shown in FIGS. 1A-1L may perform one or more functionsdescribed as being performed by another set of devices shown in FIGS.1A-1L.

FIG. 2 is a diagram of an example environment 200 in which systemsand/or methods described herein may be implemented. As shown in FIG. 2,environment 200 may include a network function orchestrator 101, acertificate manager 103, a CA 104, one or more UE(s) 105 (referred toherein individually as UE 105 or collectively as UEs 105), a RAN 210,one or more base stations 212 (referred to herein individually as basestation 212 or collectively as base stations 212), a core network 220,and a data network 230. Devices of environment 200 may interconnect viawired connections, wireless connections, or a combination of wired andwireless connections.

Network function orchestrator 101 includes one or more devices,components, or functions (implemented on one or more devices) to performone or more functions described herein. Network function orchestrator101 may instantiate network functions, terminate network functions,scale network functions to enable UE 105 to utilize one or more servicesprovided by core network 220, and/or the like.

Certificate manager 103 includes one or more devices for provisioning,managing, and/or providing certificates to entities included in corenetwork 220. Certificate manager 103 may determine that a networkfunction has been instantiated in core network 220, may obtain acertificate for the network function, and may provide the certificate tothe network function to enable the network function to communicate withother network functions within core network 220.

CA 104 includes one or more devices, components, or functions(implemented on one or more devices) to generate and providecertificates, as described herein. For example, CA 104 may receive arequest for a certificate, verify an identity of an entity for which thecertificate is to be generated, and generate the certificate based onverifying the identity of the entity

UE 105 includes one or more devices capable of communicating with basestation 212 and/or a network (e.g., core network 220, data network 230,and/or the like). For example, UE 105 may include a wirelesscommunication device, a radiotelephone, a personal communications system(PCS) terminal (e.g., that may combine a cellular radiotelephone withdata processing and data communications capabilities), a smart phone, alaptop computer, a tablet computer, a personal gaming system, and/or asimilar device. UE 105 may be capable of communicating using uplink(e.g., UE to base station) communications, downlink (e.g., base stationto UE) communications, and/or side link (e.g., UE-to-UE) communications.In some implementations, UE 105 may include a machine-type communication(MTC) UE, such as an evolved or enhanced MTC (eMTC) UE. In someimplementations, UE 105 may include an IoT UE, such as a narrowband IoT(NB-IoT) UE and/or the like. In some implementations, UE 105 may performone or more actions described as being performed by the UE of exampleimplementation 100.

RAN 210 can include a base station and be operatively connected, via awired and/or wireless connection, to the core network 220 through a userplane function (UPF). RAN 210 can facilitate communication sessionsbetween UEs 105 and data network 230 by communicatingapplication-specific data between RAN 210 and core network 220.

Base station 212 includes one or more devices capable of communicatingwith UE 105 using a cellular Radio Access Technology (RAT). For example,base station 212 may include a base transceiver station, a radio basestation, a node B, an evolved node B (eNB), a gNB, a base stationsubsystem, a cellular site, a cellular tower (e.g., a cell phone tower,a mobile phone tower, etc.), an access point, a transmit receive point(TRP), a radio access node, a macrocell base station, a microcell basestation, a picocell base station, a femtocell base station, or a similartype of device. Base station 212 may transfer traffic between UE 105(e.g., using a cellular RAT), other base stations 212 (e.g., using awireless interface or a backhaul interface, such as a wired backhaulinterface), and/or data network 230. Base station 212 may provide one ormore cells that cover geographic areas. Some base stations 212 may bemobile base stations. Some base stations 212 may be capable ofcommunicating using multiple RATs.

In some implementations, base station 212 may perform scheduling and/orresource management for UEs 105 covered by base station 212 (e.g., UEs105 covered by a cell provided by base station 212). In someimplementations, base station 212 may be controlled or coordinated by anetwork controller, which may perform load balancing, network-levelconfiguration, and/or the like. The network controller may communicatewith base station 212 via a wireless or wireline backhaul. In someimplementations, base station 212 may include a network controller, aself-organizing network (SON) module or component, or a similar moduleor component. In other words, base station 212 may perform networkcontrol, scheduling, and/or network management functions (e.g., forother base stations 212 and/or for uplink, downlink, and/or side linkcommunications of UEs 105 covered by the base station 212). In someimplementations, base station 212 may include a central unit andmultiple distributed units. The central unit may coordinate accesscontrol and communication with regard to the multiple distributed units.The multiple distributed units may provide UEs 105 and/or other basestations 212 with access to data network 230.

Core network 220 includes various types of core network architectures,such as a 5GC (e.g., core network 300 of FIG. 3), an LTE evolved packetcore (EPC), and/or the like. In some implementations, core network 220may be implemented on physical devices, such as gateways, mobilitymanagement entities, and/or the like. In some implementations, thehardware and/or software implementing core network 220 can bevirtualized (e.g., through the use of network function virtualizationand/or software-defined networking), thereby allowing for the use ofcomposable infrastructure when implementing core network 220. In thisway, networking, storage, and compute resources can be allocated toimplement the functions of core network 220 in a flexible manner asopposed to relying on dedicated hardware and software to implement thesefunctions. Core network 220 may be managed by network functionorchestrator 101.

Data network 230 includes one or more wired and/or wireless datanetworks. For example, data network 230 can include an IP MultimediaSubsystem (IMS), a public land mobile network (PLMN), a local areanetwork (LAN), a wide area network (WAN), a metropolitan area network(MAN), a private network such as a corporate intranet, an ad hocnetwork, the Internet, a fiber optic-based network, a cloud computingnetwork, a third party services network, an operator services network,and/or the like, and/or a combination of these or other types ofnetworks.

The number and arrangement of devices and networks shown in FIG. 2 areprovided as one or more examples. In practice, there may be additionaldevices and/or networks, fewer devices and/or networks, differentdevices and/or networks, or differently arranged devices and/or networksthan those shown in FIG. 2. Furthermore, two or more devices shown inFIG. 2 may be implemented within a single device, or a single deviceshown in FIG. 2 may be implemented as multiple, distributed devices.Additionally, or alternatively, a set of devices (e.g., one or moredevices) of environment 200 may perform one or more functions describedas being performed by another set of devices of environment 200.

FIG. 3 is a diagram of an example functional architecture of a corenetwork 300 in which systems and/or methods, described herein, can beimplemented. As shown in FIG. 3, core network 300 may include a number(or quantity) of functional elements. The functional elements of corenetwork 300 may communicate via a message bus 302. As shown in FIG. 3,the functional elements may include, for example, a network sliceselection function (NSSF)) 304, an authentication server function (AUSF)306, a unified data management (UDM) function 308, a network functionrepository function (NRF) 310, a network exposure function (NEF) 312, anapplication function (AF) 314, an access and mobility managementfunction (AMF) 316, a policy control function (PCF) 318, an unstructureddata storage function (UDSF) 320, a session management function (SMF)322, a user plane function (UPF) 324, and/or the like. As shown, thesefunctional elements may be communicatively connected via message bus302.

Each of the functional elements shown in FIG. 3 is implemented on one ormore devices associated with a wireless telecommunications system. Insome implementations, one or more of the functional elements may beimplemented on physical devices, such as an access point, a basestation, a gateway, and/or the like. In some implementations, one ormore of the functional elements may be implemented on a computing deviceof a cloud computing environment.

NSSF 304 is a hardware-based element that may select network sliceinstances (NSIs) for UEs (and/or may determine network slice policies tobe applied at a RAN). By providing network slicing, NSSF 304 allows anoperator to deploy multiple substantially independent end-to-endnetworks potentially with the same infrastructure. In someimplementations, each slice may be customized for different services.

AUSF 306 is a hardware-based element that may act as an authenticationserver and support the process of authenticating UEs in the wirelesstelecommunications system. UDM 308 can store subscriber data andprofiles in the wireless telecommunications system. UDM 308 can be usedfor fixed access, mobile access, and/or the like, in core network 300.

NRF 310 is a hardware-based element that may interface with NEF 312 toprovide AMF 316 with group messages. NRF 310 may enable the functionalelements of core network 300 to discover and communicate with oneanother via message bus 302. NEF 312 is a hardware-based element thatmay support the exposure of capabilities and/or events in the wirelesstelecommunications system to help other entities in the wirelesstelecommunications system discover network services. For example, NEF312 may support the exposure of group messages that may be provided viaa group messaging service.

AF 314 may be a hardware-based element that may support applicationinfluence on traffic routing, access to NEF 312, policy control, and/orthe like. In some implementations, AMF 316 may be a hardware-basedelement that may act as a termination point for Non-Access Stratum (NAS)signaling, mobility management, and/or the like. AMF 316 can provideauthentication and authorization of UEs and mobility management (e.g.,provisioning UEs to use NSIs associated with SDDs as described herein).PCF 318 can provide a policy framework that incorporates networkslicing, roaming, packet processing, mobility management, and/or thelike.

UDSF 320 includes one or more data structures configured to storeinformation, mappings, and/or the like associated with the core network300. For example, UDSF 320 may include one or more tables, mappings,graphs, and/or the like of resources, NSIs, slice deploymentdescriptions (SDDs), and/or the like.

SMF 322 may be a hardware-based element that may support theestablishment, modification, and release of communication sessions inthe wireless telecommunications system. For example, SMF 322 mayconfigure traffic steering policies at UPF 324, enforce UE IP addressallocation and policies, and/or the like. SMF 322 can support theestablishment, modification, and release of communication sessions inthe wireless telecommunications system. For example, SMF 322 canconfigure traffic steering policies at UPF 324, enforce UE IP addressallocation and policies, and/or the like. AMF 316 and SMF 322 can act asa termination point for Non-Access Stratum (NAS) signaling, mobilitymanagement, and/or the like. SMF 322 can act as a termination point forsession management related to NAS. RAN 210 can send information (e.g.,the information that identifies the UE) to AMF 316 and/or SMF 322 viaPCF 318.

UPF 324 is a hardware-based element that may serve as an anchor pointfor intra/inter-RAT mobility. UPF 324 may apply rules to packets, suchas rules pertaining to packet routing, traffic reporting, handling userplane QoS, and/or the like. Message bus 302 represents a communicationstructure for communication among the functional elements. In otherwords, message bus 302 may permit communication between two or morefunctional elements of core network 300.

The number and arrangement of functional elements shown in FIG. 3 areprovided as an example. In practice, there may be additional functionalelements, fewer functional elements, different functional elements, ordifferently arranged functional elements than those shown in FIG. 3.Furthermore, two or more functional elements shown in FIG. 3 may beimplemented within a single device, or a single functional element shownin FIG. 3 may be implemented as multiple, distributed devices.Additionally, or alternatively, a set of functional elements (e.g., oneor more functional elements) of core network 300 may perform one or morefunctions described as being performed by another set of functionalelements of core network 300.

FIG. 4 is a diagram of example components of a device 400. Device 400may correspond to network function orchestrator 101, certificate manager103, certificate authority 104, UE 105, base station 212, NSSF 304, AUSF306, UDM 308, NRF 310, NEF 312, AF 314, AMF 316, PCF 318, UDSF 320, SMF322, and/or UPF 324. In some implementations, network functionorchestrator 101, certificate manager 103, certificate authority 104, UE105, base station 212, NSSF 304, AUSF 306, UDM 308, NRF 310, NEF 312, AF314, AMF 316, PCF 318, UDSF 320, SMF 322, and/or UPF 324 may include oneor more devices 400 and/or one or more components of device 400. Asshown in FIG. 4, device 400 may include a bus 410, a processor 420, amemory 430, a storage component 440, an input component 450, an outputcomponent 460, and a communication interface 470.

Bus 410 includes a component that permits communication among multiplecomponents of device 400. Processor 420 is implemented in hardware,firmware, and/or a combination of hardware and software. Processor 420is a central processing unit (CPU), a graphics processing unit (GPU), anaccelerated processing unit (APU), a microprocessor, a microcontroller,a digital signal processor (DSP), a field-programmable gate array(FPGA), an application-specific integrated circuit (ASIC), or anothertype of processing component. In some implementations, processor 420includes one or more processors capable of being programmed to perform afunction. Memory 430 includes a random access memory (RAM), a read onlymemory (ROM), and/or another type of dynamic or static storage device(e.g., a flash memory, a magnetic memory, and/or an optical memory) thatstores information and/or instructions for use by processor 420.

Storage component 440 stores information and/or software related to theoperation and use of device 400. For example, storage component 440 mayinclude a hard disk (e.g., a magnetic disk, an optical disk, and/or amagneto-optic disk), a solid state drive (SSD), a compact disc (CD), adigital versatile disc (DVD), a floppy disk, a cartridge, a magnetictape, and/or another type of non-transitory computer-readable medium,along with a corresponding drive.

Input component 450 includes a component that permits device 400 toreceive information, such as via user input (e.g., a touch screendisplay, a keyboard, a keypad, a mouse, a button, a switch, and/or amicrophone). Additionally, or alternatively, input component 450 mayinclude a component for determining location (e.g., a global positioningsystem (GPS) component) and/or a sensor (e.g., an accelerometer, agyroscope, an actuator, another type of positional or environmentalsensor, and/or the like). Output component 460 includes a component thatprovides output information from device 400 (via, e.g., a display, aspeaker, a haptic feedback component, an audio or visual indicator,and/or the like).

Communication interface 470 includes a transceiver-like component (e.g.,a transceiver, a separate receiver, a separate transmitter, and/or thelike) that enables device 400 to communicate with other devices, such asvia a wired connection, a wireless connection, or a combination of wiredand wireless connections. Communication interface 470 may permit device400 to receive information from another device and/or provideinformation to another device. For example, communication interface 470may include an Ethernet interface, an optical interface, a coaxialinterface, an infrared interface, a radio frequency (RF) interface, auniversal serial bus (USB) interface, a wireless local area networkinterface, a cellular network interface, and/or the like.

Device 400 may perform one or more processes described herein. Device400 may perform these processes based on processor 420 executingsoftware instructions stored by a non-transitory computer-readablemedium, such as memory 430 and/or storage component 440. As used herein,the term “computer-readable medium” refers to a non-transitory memorydevice. A memory device includes memory space within a single physicalstorage device or memory space spread across multiple physical storagedevices.

Software instructions may be read into memory 430 and/or storagecomponent 440 from another computer-readable medium or from anotherdevice via communication interface 470. When executed, softwareinstructions stored in memory 430 and/or storage component 440 may causeprocessor 420 to perform one or more processes described herein.Additionally, or alternatively, hardware circuitry may be used in placeof or in combination with software instructions to perform one or moreprocesses described herein. Thus, implementations described herein arenot limited to any specific combination of hardware circuitry andsoftware.

The number and arrangement of components shown in FIG. 4 are provided asan example. In practice, device 400 may include additional components,fewer components, different components, or differently arrangedcomponents than those shown in FIG. 4. Additionally, or alternatively, aset of components (e.g., one or more components) of device 400 mayperform one or more functions described as being performed by anotherset of components of device 400.

FIG. 5 is a flow chart of an example process 500 associated with systemsand methods for managing public key infrastructure certificates forcomponents of a network. In some implementations, one or more processblocks of FIG. 5 may be performed by a device (e.g., certificate manager103). In some implementations, one or more process blocks of FIG. 5 maybe performed by another device or a group of devices separate from orincluding the device, such as a network function orchestrator (e.g.,network function orchestrator 101), a certificate authority (e.g.,certificate authority 104), and/or the like. Additionally, oralternatively, one or more process blocks of FIG. 5 may be performed byone or more components of a device 400, such as processor 420, memory430, storage component 440, input component 450, output component 460,communication interface 470, and/or the like.

As shown in FIG. 5, process 500 may include determining that a networkfunction of a network is to use a secure communication protocol (block510). For example, the device may determine that a network function of anetwork is to use a secure communication protocol, as described above.In some implementations, the network function is configured tofacilitate communication via the network.

As further shown in FIG. 5, process 500 may include identifying acomponent of a resource configuration that is to instantiate the networkfunction (block 520). For example, the device may identify a componentof a resource configuration that is to instantiate the network function,as described above.

As further shown in FIG. 5, process 500 may include instantiating, usingthe component, a proxy for the network function (block 530). Forexample, the device may instantiate, using the component, a proxy forthe network function, as described above.

Process 500 may include identifying a set of components of the resourceconfiguration and selecting a component of the set of components toinstantiate the proxy.

The resource configuration may include a first virtual resource that isinstantiated via a first component and a second virtual resource that isinstantiated via a second component. The proxy may be a first proxy thatis configured to communicate, using the certificate, with a secondproxy, for the second virtual resource, that is instantiated via thesecond component.

As further shown in FIG. 5, process 500 may include configuring theproxy to obtain a certificate that is associated with the securecommunication protocol (block 540). For example, the device mayconfigure the proxy to obtain a certificate that is associated with thesecure communication protocol, as described above.

The proxy may be configured to utilize an application programminginterface that is associated with a certificate authority that isconfigured to issue the certificate.

In some implementations, the device, when configuring the proxy, mayindicate a certificate authority that is configured to issue thecertificate to cause the proxy to obtain the certificate from thecertificate authority.

In some implementations, configuring the proxy comprises configuring theproxy to provide the certificate to the other proxy to permit the otherproxy to use the secure communication protocol to perform the operation.

In some implementations, configuring the proxy comprises designating theproxy as a signing agent to cause the proxy to use the certificate inassociation with a communication with another network function and/oranother proxy associated with the resource configuration.

In some implementations, configuring the proxy comprises configuring theproxy to utilize an application programming interface that is associatedwith a certificate authority that is configured to issue thecertificate.

In some implementations, configuring the proxy comprises configuring theproxy to renew the certificate after an expiration of the certificate topermit the network function to continue to operate beyond theexpiration.

As further shown in FIG. 5, process 500 may include causing the proxy touse the certificate to communicate with another proxy that is associatedwith the network function to perform an operation associated with thenetwork function (block 550). For example, the device may cause theproxy to use the certificate to communicate with another proxy that isassociated with the network function to perform an operation associatedwith the network function, as described above.

In some implementations, the other proxy is instantiated via a secondcomponent that is separate from the first component.

In some implementations, a communication, that is between the proxy andthe other proxy and utilizes the secure communication protocol, involvesa mutual transport layer security authentication between the proxy andthe other proxy.

In some implementations, the resource configuration includes a pluralityof virtual resources that are instantiated via a plurality of separatecomponents. The proxy may be configured to distribute certificates toindividual proxies of the plurality of virtual resources to permit theplurality of virtual resources to use the secure communication protocolto instantiate the network function.

Although FIG. 5 shows example blocks of process 500, in someimplementations, process 500 may include additional blocks, fewerblocks, different blocks, or differently arranged blocks than thosedepicted in FIG. 5. Additionally, or alternatively, two or more of theblocks of process 500 may be performed in parallel.

The foregoing disclosure provides illustration and description, but isnot intended to be exhaustive or to limit the implementations to theprecise form disclosed. Modifications and variations may be made inlight of the above disclosure or may be acquired from practice of theimplementations.

As used herein, the term “component” is intended to be broadly construedas hardware, firmware, or a combination of hardware and software.

To the extent the aforementioned implementations collect, store, oremploy personal information of individuals, it should be understood thatsuch information shall be used in accordance with all applicable lawsconcerning protection of personal information. Additionally, thecollection, storage, and use of such information can be subject toconsent of the individual to such activity, for example, through wellknown “opt-in” or “opt-out” processes as can be appropriate for thesituation and type of information. Storage and use of personalinformation can be in an appropriately secure manner reflective of thetype of information, for example, through various encryption andanonymization techniques for particularly sensitive information.

It will be apparent that systems and/or methods described herein may beimplemented in different forms of hardware, firmware, and/or acombination of hardware and software. The actual specialized controlhardware or software code used to implement these systems and/or methodsis not limiting of the implementations. Thus, the operation and behaviorof the systems and/or methods are described herein without reference tospecific software code—it being understood that software and hardwarecan be used to implement the systems and/or methods based on thedescription herein.

Even though particular combinations of features are recited in theclaims and/or disclosed in the specification, these combinations are notintended to limit the disclosure of various implementations. In fact,many of these features may be combined in ways not specifically recitedin the claims and/or disclosed in the specification. Although eachdependent claim listed below may directly depend on only one claim, thedisclosure of various implementations includes each dependent claim incombination with every other claim in the claim set.

No element, act, or instruction used herein should be construed ascritical or essential unless explicitly described as such. Also, as usedherein, the articles “a” and “an” are intended to include one or moreitems, and may be used interchangeably with “one or more.” Further, asused herein, the article “the” is intended to include one or more itemsreferenced in connection with the article “the” and may be usedinterchangeably with “the one or more.” Furthermore, as used herein, theterm “set” is intended to include one or more items (e.g., relateditems, unrelated items, a combination of related and unrelated items,etc.), and may be used interchangeably with “one or more.” Where onlyone item is intended, the phrase “only one” or similar language is used.Also, as used herein, the terms “has,” “have,” “having,” or the like areintended to be open-ended terms. Further, the phrase “based on” isintended to mean “based, at least in part, on” unless explicitly statedotherwise. Also, as used herein, the term “or” is intended to beinclusive when used in a series and may be used interchangeably with“and/or,” unless explicitly stated otherwise (e.g., if used incombination with “either” or “only one of”).

What is claimed is:
 1. A method, comprising: determining, by a device,that a network function of a network is to be instantiated by utilizinga secure communication protocol, wherein the network function is to beconfigured to facilitate communication via the network; identifying, bythe device, a resource configuration that is to instantiate the networkfunction, wherein the resource configuration includes a first virtualresource that is instantiated via a first component and a second virtualresource that is instantiated via a second component; instantiating, bythe device and using the first component, a first proxy for the networkfunction; configuring, by the device, the first proxy to obtain, from acertificate authority, a certificate that is associated with the securecommunication protocol; and causing the first proxy to use thecertificate to communicate with a second proxy, for the second virtualresource, that is instantiated via the second component, to perform anoperation associated with the network function.
 2. The method of claim1, wherein the second component is separate from the first component. 3.The method of claim 1, wherein configuring the first proxy comprises:configuring the first proxy to provide the certificate to the secondproxy to permit the second proxy to use the secure communicationprotocol to perform the operation.
 4. The method of claim 1, wherein acommunication, that is between the first proxy and the second proxy andutilizes the secure communication protocol, involves a mutual transportlayer security authentication between the first proxy and the secondproxy.
 5. The method of claim 1, wherein configuring the first proxycomprises: designating the first proxy as a signing agent to cause thefirst proxy to use the certificate in association with a communicationwith another network function.
 6. The method of claim 1, whereinconfiguring the first proxy to obtain the certificate comprises:configuring the first proxy to utilize an application programminginterface that is associated with a certificate authority that isconfigured to issue the certificate.
 7. The method of claim 1, whereinconfiguring the first proxy comprises: configuring the first proxy torenew the certificate after an expiration of the certificate to permitthe network function to continue to operate beyond the expiration.
 8. Adevice, comprising: one or more memories; and one or more processorsconfigured to: determine that a network function of a network is to beinstantiated by utilizing a secure communication protocol, wherein thenetwork function is to be configured to facilitate communication via thenetwork; determine a resource configuration that is to instantiate thenetwork function, wherein the resource configuration includes a firstvirtual resource that is instantiated via a first component and a secondvirtual resource that is instantiated via a second component;instantiate, based on the resource configuration, a first proxy for thenetwork function, wherein the first proxy is instantiated using thefirst component; and configure the first proxy to obtain, from acertificate authority, a certificate, that is associated with the securecommunication protocol, to permit the network function to beinstantiated to use the secure communication protocol, wherein the firstproxy is configured to communicate, using the certificate, with a secondproxy, for the second virtual resource, that is instantiated via thesecond component.
 9. The device of claim 8, wherein the one or moreprocessors, when determining the resource configuration are configuredto: identify a set of components of the resource configuration, andwherein the one or more processors, when instantiating the first proxy,are configured to: select the first component from the set ofcomponents, to instantiate the first proxy; and instantiate the firstproxy using the first component.
 10. The device of claim 8, wherein theresource configuration includes a plurality of virtual resources thatare instantiated via a plurality of separate components, wherein thefirst proxy is configured by the one or more processors to distributethe certificate to individual proxies of the plurality of virtualresources to permit the plurality of virtual resources to use the securecommunication protocol to instantiate the network function.
 11. Thedevice of claim 8, wherein the one or more processors, when configuringthe first proxy, are configured to: designate the first proxy as asigning agent to cause the first proxy to use the certificate inassociation with a communication with at least one of: another networkfunction, or another proxy associated with the resource configuration.12. The device of claim 8, wherein the one or more processors, whenconfiguring the first proxy, are configured to: configure the firstproxy to utilize an application programming interface that is associatedwith the certificate authority.
 13. The device of claim 8, wherein theone or more processors, when configuring the first proxy to obtain thecertificate, are configured to: indicate the certificate authority thatis configured to issue the certificate to cause the first proxy toobtain the certificate from the certificate authority.
 14. The device ofclaim 8, wherein the one or more processors, when configuring the firstproxy to obtain the certificate, are configured to: designate the firstproxy as a signing agent to cause the first proxy to use the certificatein association with a communication with another network function. 15.The device of claim 8, wherein the one or more processors, whenconfiguring the first proxy to obtain the certificate, are configuredto: configure the first proxy to renew the certificate after anexpiration of the certificate to permit the network function to continueto operate beyond the expiration.
 16. A non-transitory computer-readablemedium storing instructions, the instructions comprising: one or moreinstructions that, when executed by one or more processors, cause theone or more processors to: determine that a network function of anetwork is to be instantiated by utilizing a secure communicationprotocol; determine a resource configuration that is to instantiate thenetwork function, wherein the resource configuration includes a firstvirtual resource that is instantiated via a first component and a secondvirtual resource that is instantiated via a second component;instantiate, based on the resource configuration, a first proxy for thenetwork function, wherein the first proxy is instantiated using thefirst component; and configure the first proxy to obtain, from acertificate authority, a certificate, that is associated with the securecommunication protocol, to permit the network function to use the securecommunication protocol, wherein the first proxy is configured tocommunicate, using the certificate, with a second proxy, for the secondvirtual resource, that is instantiated via the second component.
 17. Thenon-transitory computer-readable medium of claim 15, wherein the firstproxy is instantiated using a component that is associated with theresource configuration.
 18. The non-transitory computer-readable mediumof claim 16, wherein the one or more instructions that cause the one ormore processors to configure the first proxy, cause the one or moreprocessors to: configure the first proxy to utilize an applicationprogramming interface that is associated with the certificate authority.19. The non-transitory computer-readable medium of claim 16, wherein thenetwork function comprises at least one of: a virtual network function,or a containerized network function.
 20. The non-transitorycomputer-readable medium of claim 16, wherein the secure communicationprotocol comprises a transport layer security protocol.